Just followed the instructions for dump and am getting this error:

ps>> .\winpmem_v3.3.rc3.exe --output myimage.raw

IO_ERROR: at win_pmem.cc: 695
2023-10-18 10:50:50 E Imaging failed with error: IO_ERROR

How can we fix this?

Hello,

I was wondering if there were releases for Mac and Linux as well as Windows?

Thanks very much.

after dumping the whole memory with winpmem xx.raw
and then extract lsass.exe using volatility3 we couldn't get access to the lsass using mimikatz
error always showing opening memory in mimikatz.
any help ?

I am trying to use the pcm (performance counter) and using the winpmem driver.

I have the following error on the event viewer:
The winpmem service failed to start due to the following error:
A device attached to the system is not functioning.

I am using the x64.sys file and storing it in the same directory where I run my pcm.exe

Could you kindly help?

Thanks

In addition to a memory image it would be good to get the data that you would require for any generic examination collected via the API in the same collection.

This will ensure that even if the memory collection is incomplete or damaged that there is potentially useful information collected already.

Thanks for this excellent tool !

I tried to add a GUI over WinPmem for end user by redirecting stdin and stdout.

Short version: the output get buffered all at once when the program is terminating under a non console program.
Which prohibits display console information provided by WinPmem when the work is in progress.

After a lot of investigation, I found out this article https://www.codeproject.com/Articles/16163/Real-Time-Console-Output-Redirection which points that under a pipe, the flush behavior of printf under MS C lib is changed when there is no console behind.

This problem will be fixed if a flush is added after each printf.

Perhaps it will be implemented in future.

Where can I obtain the latest release? I appears that the last release was in 2020 but there have been some changes since then.

I have encountered a number of memory capture tools that fail and trigger a BSOD on windows 10. There is a really good article as to why here https://df-stream.com/2017/08/memory-acquisition-and-virtual-secure/.

When I tried to use this in our environment I received this.

This is an unfixable Hyper-V bug.

It happens only on Hyper-V VMs with "Dynamic Memory" enabled.
The memory ranges will fragment after a while leading to thousands of memory ranges. (reported: up to 8000!)
It's not only bad for memory dumping, it's generally bad.

Can be avoided by making sure the "Dynamic Memory" setting is disabled. It can be disabled at any time, but the machine needs to be powered down.

Hello

I've just tried the new release on my laptop, but it produced an error while trying to capture RAM

32bit version of winpmem.exe fails on Window xp service pack 3

Built from source on Master, 12/28/20, VS 2013
Other os(win7,win8,win10 32bit) works as expected

but 32bit exe on 32bit Win xp, service pack 3 VM on fails with following output:

Driver unloaded.
Error <0x7d1>: startservice , Cannot start the driver.
error Startservie , cannot start the driver.
Driver unloaded.

Why don't load dirver on window xp??

I found out there is a couple of checks missing.

First:
https://github.com/Velocidex/WinPmem/blob/master/kernel/executable/winpmem.cpp#L422
If there is no more space on the disk, WriteFile Fails, then copy_memory fails, then write_raw_image succeed.
The status is not propagated at the end of the program (the %ERRORLEVEL% var)

Second:
https://github.com/Velocidex/WinPmem/blob/master/kernel/executable/main.cpp#L189
if the driver install fails, status will be negative and the program will stop.
But the final status will not be propagated at the end of the program (the %ERRORLEVEL% var)

Hello,

I have a BSOD immediatly after launching a memory dump on my test machine (Windows 10.0.19044). The BSOD error is SYSTEM_THREAD_EXCEPTION_NOT_HANDLED.

This is new. Last tests were in march and I didn't have any issue. I use the last release (4.0 RC2).

Are you aware of this issue ? It seems to be related to a Windows 10 update.

Thank you :)

The following project integrates Winpmem to read memory, but some computers do not work. I do not know the reason, and the author is not very clear. It seems that I was asked to ask Winpmem. I don't know what to do. Why can some computers read and others can't?

https://github.com/ufrisk/MemProcFS

I'm just making sure that this is a known issue. I've been trying to output a simple .raw dump.
I've been getting some BSOD errors upon running the compiled executable--my compilation process I will describe below:

I've been compiling the WinPmem.sys and WinPmem.exe file using Visual Studio on Windows 10 64-bit with slight modifications. I've modified the 'winpmem.vcxproj' file in the 'kernel' folder so that the "Target Version" is Windows10 instead of Windows 7:

The reason I did this is because Visual Studio was giving a "WindowsDriver.common.targets ... Windows 7 is not a supported OS" error.

Then, I modified the Treat wchar_t as Built-in Type in the Visual Studio settings so that there was implicit conversion from unsigned shorts to w_char.
(See: https://docs.microsoft.com/en-us/cpp/build/reference/zc-wchar-t-wchar-t-is-native-type?view=msvc-170)

Then, I enabled the Unicode character set in Visual Studio settings so that there was implicit conversion of unsigned shorts and wchar_t to type "TCHAR" (as suggested here: https://social.msdn.microsoft.com/Forums/sqlserver/en-US/ab29659c-e7dd-4c29-9cff-d4629472a195/error-c2664-int-swscanfsconst-wchart-const-wchart-cannot-convert-argument-1-from?forum=vcgeneral).

I then downloaded spectre-mitigation tools, and specified a digest algorithm.
I then compiled a "winpmem.sys" and a "winpmem.exe" file using the "build solution" option on both winpmem.vcxproj files (one in the 'kernel' folder and one in the 'executable' folder).

In terms of running the executable, I've tried running it both with and without the -d flag specified (and with or without the -0 flag). I'm always specifying an output file of type '.raw' instead of an .AFF4 type file.
No matter how I run it, I invariably get an immediate BSOD. Windows gives "SYSTEM_SERVICE_EXCEPTION" error each time I try this, and depending on whether I specify a driver or not, it will either fail on the winpmem.sys file, or a .tmp file. (As specified by the field "what failed").

It's worth noting that the mini-file (winpmem_mini_x64_rc2.exe, which, as you've said, is based on the 1.6 branch) has no problems running on my PC.

Additionally, it's also worth noting that I'm running VSM on my system, though I believe you guys already fixed that problem?:
http://blog.rekall-forensic.com/2018/09/virtual-secure-mode-and-memory.html
(And also: #9)

Let me know if I'm missing something super obvious, or if there is a fix in the works.
Also let me know if you need more information and I'd be happy to supply it.

Thank you so much for your help!

Built from source on Master, 11/4/20, VS 2019 16.7.1
64bit exe works as expected
32bit exe on 64bit Win 10, version 2004 build 19041.572 (bare hardware) fails with following output:

**D:\Work\DevProjects\PmemMaster\kernel\executable\Debug>winpmem.exe d:\temp\ram32-1.raw
WinPmem64
Extracting driver to C:\Users\John\AppData\Local\Temp\pmeD628.tmp
Driver Unloaded.
Loaded Driver C:\Users\John\AppData\Local\Temp\pmeD628.tmp.
Deleting C:\Users\John\AppData\Local\Temp\pmeD628.tmp
Failed to get memory geometry,: The program issued a command but the command length is incorrect.

The system time is: 16:46:30
Driver Unloaded.**

Also, when run on a Win 7 32 VM (version 6.1 Build 7601: Service Pack 1), it initially fails by incorrectly selecting the PTE method. Out as follows:

**C:\Users\Adam\Downloads\PMem\win32>winpmem.exe C:\Users\Adam\Downloads\PMem\win3
2\ramcapturepmem20200103.raw
WinPmem32
extract_driver

• service_name: pmem
• filename: C:\Users\Adam\AppData\Local\Temp\pme5D76.tmp
• Extracting driver to C:\Users\Adam\AppData\Local\Temp\pme5D76.tmp
  Driver Unloaded.
  Loaded Driver C:\Users\Adam\AppData\Local\Temp\pme5D76.tmp.
  Deleting C:\Users\Adam\AppData\Local\Temp\pme5D76.tmp
  Failed to set acquisition mode 2 : A device attached to the system is not functi
  oning.

PTE Remapping
Driver Unloaded.**

When run with the -1 option, forcing to PhysicalMemory method, ram capture succeeds.

It would be great to have aff4 support again, for logical file/folders aquisition.
One question about c-aff4, when aquiring files, they have the date of creation/modification changed to the aquisition time. As a forensic image, shouldnt it keep the original date?

Thank you.

We're interested in running a standalone aff4imager with logical file copy options to test it out. Is there a current .exe build we can download? I noticed the latest WinPmem doesn't include the feature.

Thanks!

Greetings,

Report RE: WinPmem 4.0 RC (x64)

Summary:

When the pagefile on an Azure virtual machine, located on the secondary disk) is larger than 4GB, winpmem fails to dump. When it is <= 4GB, the dump works as expected.
The winpmem command is a regular dump, no additional arguments are presented to it.
This behavior is consistent.

The output on the console is as follows:
WinPmem64 Extracting driver to C:\Users\tadmin\AppData\Local\Temp\pmeB59A.tmp Driver Unloaded. Deleting C:\Users\tadmin\AppData\Local\Temp\pmeB59A.tmp Driver Unloaded.
The produced dump-file is present, but completely empty.
Is it possible to either fix this issue, or have winpmem at least output some more informative errors ?

Attachments:

WinDbg "Timeless Debugger" traces of two failures on the same machine.
Traces.zip

Machine details:

Installed Physical Memory (RAM) 4,00 GB
Total Physical Memory 4,00 GB
Available Physical Memory 1,96 GB
Total Virtual Memory 10,0 GB
Available Virtual Memory 7,53 GB
Page File Space 6,00 GB
Page File D:\pagefile.sys
Kernel DMA Protection Off
Virtualization-based security Not enabled
Hardware Abstraction Layer Version = "10.0.19041.964"
PCR7 Configuration Binding Not Possible
BaseBoard Version 7.0
BaseBoard Product Virtual Machine
BaseBoard Manufacturer Microsoft Corporation
BIOS Mode Legacy
SMBIOS Version 2.3
BIOS Version/Date American Megatrends Inc. 090008, 7.12.2018
Processor Intel(R) Xeon(R) Platinum 8272CL CPU @ 2.60GHz,
2594 Mhz, 2 Core(s), 2 Logical Processor(s)
System Type x64-based PC
System Manufacturer Microsoft Corporation
System Model Virtual Machine
System Name win10-21h1
OS Name Microsoft Windows 10 Pro
Version 10.0.19043 Build 19043
Experience Windows Feature Experience Pack 120.2212.2020.0

Memory Details:

Resource Device Status
0x0000-0x9FFFF System board OK
0xFFFC0000-0xFFFFFFFF System board OK
0xFEC00000-0xFEC00FFF Motherboard resources OK
0xFEE00000-0xFEE00FFF Motherboard resources OK
0xFF800000-0xFFFFFFFF Microsoft Hyper-V Video OK
0xE0000000-0xFFFFFFFF PCI Bus OK
0xF8000000-0xFBFFFFFF Microsoft Hyper-V S3 Cap OK
0xA0000-0xBFFFF PCI Bus OK
0xC0000-0xDFFFF System board OK
0xE0000-0xFFFFF System board OK
0x100000-0x3FFFFFFF System board OK
0x40000000-0xFFFBFFFF PCI Bus OK

We have spent some time trying to understand how WinPmem interacts with Microsofts persistent memory driver.
(Some random docs mentioning it: HCI, SQL, PS)

Unfortunately, WinPmem completely ignores it, removes the service, and does not restore it.

Also, if the driver is already loaded, the service cannot be stopped, and WinPmem fails to run.

This should only be an issue on Windows 10 or newer.

C:\>sc qc pmem
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: pmem
        TYPE               : 1  KERNEL_DRIVER
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : \SystemRoot\System32\drivers\pmem.sys
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Microsoft persistent memory disk driver
        DEPENDENCIES       :
        SERVICE_START_NAME :

I would suggest, instead of making WinPmem test different cases if the driver is loaded or not, and trying to restore it, I would just rename the WinPmem service to winpmem instead of pmem.

Also, a command-line argument for the service name would also be nice, as an optional extra. But not a high priority.

Also, WinPmem as a name, is that for physical memory? Because imo, that's assumed, in my mind. Pmem means persistent memory. But that's not what I'm creating this issue for! 😁

Issue

When comparing the performance of memdump in volatility 2 and memmap in volatility 3 I have noticed a significant performance impact.

First discussed on Slack - https://volatilitycommunity.slack.com/archives/CNV2K4V9Q/p1639950485064800 , opening a GIt issue with more details.

Expected Behaviour

memdump and memmap --dump processing times should be comparable.

Actual Behaviour

Running the command with Vol2 takes ~8 seconds to dump and Vol3 takes almost 3 minutes.

Host Details

Host OS: Ubuntu 20.04
Image: AWS Server 2016 Win2016x64_14393
Collection: winpmem_mini_x64_rc2.exe

Volatility 2.6

time vol.py -f image1.raw --profile Win2016x64_14393 memdump -p 4604 -D . 
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing rundll32.exe [  4604] to 4604.dmp

real	0m8.385s
user	0m7.564s
sys	0m0.807s

Volatility 3 (develop Branch)

vol -f image1.raw --output-dir=procdump/ windows.memmap --pid 4604 --dump  
... Lots of print to screen all the offsets. 

174.19s user 3.10s system 99% cpu 2:57.57 total

write-config

Using --write-config and then running again with the resulting config file has no significant change in the time

vol -c config.json -f image1.raw --output-dir=procdump/ windows.memmap --pid 4604
161.77s user 2.52s system 99% cpu 2:44.76

Other Plugins

Other plugins run in a "normal" amount of time

• vol -f image1.raw --output-dir=procdump/ windows.pslist 1.40s user 0.44s syst em 99% cpu 1.841 total

Profile

Performance profile captured with the following command

python3 -m cProfile -o out.prof vol.py -f image1.raw --output-dir=procdump/ windows.memmap --pid 4604 --dump

profile.zip

TLDR:
The RC2 version of WinPMem v4 fails to run reliably on Windows 10 v2004 and v2009 (20H2) when in a HyperV guest with the "dynamic memory" option enabled. This option is unfortunately a HyperV default, but may be disabled. The failure occurs when the memory of the guest has been expanded at some point in the past due to pressure on memory within the guest. Prior to such memory expansion the memory dump operates as expected.

Conditions tested:

1. Execution under Windows 10 v2004 and v2009.
2. Operating system under HyperV with the "dynamic memory" option enabled.
3. Operating system under HyperV with the "dynamic memory" option disabled.
4. Operating system under VMware v16.1.
5. RAM allocations to virtual machines: 2GB, 4GB.
6. Processor allocations to virtual machines: 2, 4.
7. Memory pressure applied by running multiple instances of VisualStudio to consume memory prior to test.
8. Target output modes tested: both stdout and file.
9. All methods of memory acquisition (-0, -1, -2).

Conditions NOT tested:

1. Execution under any other Windows OS version.

Failure condition noticed at:

1. Windows 10 v2004 and v2009
2. Execution under HyperV with "dynamic memory" enabled.
3. Failure is independent of the number of cores and the RAM allocation.
4. Failure does NOT occur on VMware guests.
5. Failure does not occur when "dynamic memory" is disabled.

Symptoms:

1. Immediate error code received: -1 or -8.
2. Failure message:
   "Failed to get memory geometry: The program issued a command but the command length is incorrect"

Notes:

1. Failure does not occur unless memory pressure has been applied to the guest at some point in the past since the guest has started.

Hello,

is a time sheduled when a signed driver of the fixed WinPmem version will be available?

Thank you!

running 0.6.7 server on Ubuntu 20.04
running 0.6.7 client on Windows 10
both images are part of DetectionLabELK, which I am using for testing and training.
I am trying to use Velociraptors Windows.Memory.Aquisition and I get this error in the logs

2023-01-20T14:36:10Z |   | http_client: Error Get "https://localhost:8000/public/051cf7869543a0cee1f7d4b6cc76c73a0382cc097a5798fa6b74c68369140277": dial tcp 127.0.0.1:8000: connectex: No connection could be made because the target machine actively refused it. while fetching https://localhost:8000/public/051cf7869543a0cee1f7d4b6cc76c73a0382cc097a5798fa6b74c68369140277

2023-01-20T14:36:10Z |   | downloaded hash of Get "https://localhost:8000/public/051cf7869543a0cee1f7d4b6cc76c73a0382cc097a5798fa6b74c68369140277": dial tcp 127.0.0.1:8000: connectex: No connection could be made because the target machine actively refused it.: Null, expected dc6a82fc6cfda792d3182e07de10adbfba42bf336ef269dbc40732c4b2ae052c

2023-01-20T14:36:10Z |   | Time 17: Windows.Memory.Acquisition: Sending response part 0 0 B (0 rows).

I know there is an override that can leverage the use of a downloaded copy of winpmem that can be uploaded for use, but I get this error:
http_client: Downloading https://192.168.38.105:8000/public/051cf7869543a0cee1f7d4b6cc76c73a0382cc097a5798fa6b74c68369140277 into C:\Program Files\Velociraptor\Tools\tmp2433700015.exe <- server address

2023-01-20T14:30:38Z |   | downloaded hash of C:\Program Files\Velociraptor\Tools\tmp2433700015.exe: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, expected e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

2023-01-20T14:30:38Z |   | copy: Copying file from C:\Program Files\Velociraptor\Tools\tmp2433700015.exe into C:\Program Files\Velociraptor\Tools\051cf7869543a0cee1f7d4b6cc76c73a0382cc097a5798fa6b74c68369140277.exe

2023-01-20T14:30:38Z |   | tempfile: removing tempfile C:\Program Files\Velociraptor\Tools\tmp2433700015.exe

2023-01-20T14:30:38Z |   | Adding global destructor for C:\Program Files\Velociraptor\Tools\tmp3089897230.raw

2023-01-20T14:30:38Z |   | shell: Running external command [C:\Program Files\Velociraptor\Tools\051cf7869543a0cee1f7d4b6cc76c73a0382cc097a5798fa6b74c68369140277.exe C:\Program Files\Velociraptor\Tools\tmp3089897230.raw]

shell: Running external command [C:\Program Files\Velociraptor\Tools\051cf7869543a0cee1f7d4b6cc76c73a0382cc097a5798fa6b74c68369140277.exe C:\Program Files\Velociraptor\Tools\tmp3089897230.raw]

2023-01-20T14:30:38Z |   | shell: fork/exec C:\Program Files\Velociraptor\Tools\051cf7869543a0cee1f7d4b6cc76c73a0382cc097a5798fa6b74c68369140277.exe: %1 is not a valid Win32 application.

Any help will be appreciated.

Hi all! Curious if you guys have a timeline for a full 4.0 release? What's blocking that?

I did not find this question covered anywhere: can WinPmem dump GPU memory as well? This question actually breaks down into 2: (1) Can it dump dedicated gpu memory on a discrete gpu? (2) can it dump the memory used by iGPU (Intel UHD/..) which shares the system RAM?

With DbgView.exe，the value of number_of_runs == 50, so dump ram failed here.

Hi, We have been using the winpmem.sys drivers to perform memory collections using winpmem.py

On newer windows 10 builds we have been getting error 87 parameter is incorrect at the following line.

win32file.DeviceIoControl(
self.fd, CTRL_IOCTRL, struct.pack("I", mode), 0, None)

Are you aware of which parameter may have changed on the windows end? I can confirm the drivers work on older windows 10 builds.

Thanks

Hi!

I would like to know if there is such a tool for extracting volatile memory from Android operating systems, due to the complexity of extraction with the LiME tool.

Best Regards!

Yet another unfixable Hyper-V bug.

Reading memory using the iospace method will fail if no KD ist attached (no BSOD). There will be a BSOD if KD is attached. It might also BSOD with verifier, since KD and verifier have some similarities (needs verification).
Other methods did work.

This is considered a weird error because the outcome depends on whether a kernel debugger is running or not.

Might possibly happen also on barebone machines that have a Hyper-V layer. You get a Hyper-V layer if you enable one of the following:
1.) application guard
2.) the 'discardable' sandbox
3.) Hyper-V Manager
4.) Core isolation
5.) Credential guard (Win10 enterprise only)

https://github.com/ufrisk/LeechCore/wiki/Device_WinPMEM
I use this item to prompt this error. I don't know how to install it.

Hello,

I've just tried the new 4.0rc1 release on my laptop, but it produced an error while trying to capture RAM.

00% 0x00100000 ....Failed to Read memory.
: The request could not be performed because of an I/O device error. 

I've tried all three methods, but all of them either produced the above error or sent my computer to BSOD.

This is Windows 10 Pro x64 with 2004 update (exact version is 10.0.19041.508). Full output is attached.

method_2_output.txt

Hi All,

I'm trying to send the ram dump output to the remote host directly, instead of touching to the disk using socat.

But it's getting failed in client side.

Client( wIndows)
.\winpmem_mini_x64_rc2.exe -w | .\socat.exe -t 100 -T 100 TCP:IP:443 STDIN

Please do the needful, thanks.